Death of the cookie banner: The new boundaries of consent management

The most noticeable thing about May 25th? I certainly did not expect an avalanche of consent management widgets taking over the Internet in a matter of hours. Not after watching everyone pushing it until the very last minute prior to adapting those cookie banners and privacy notices, hoping for a last minute exception, or better guidance, or worldwide rebellion…

After all, the GDPR is only tangentially applicable to cookies (or fingerprinting), still subject to their own lex specialis in the form of the soon-to-be-replaced ePrivacy Directive*.

But it did happen. And we have now officially entered the era of Consent Management Tools. Which is a perfect time to bring a new angle to the important trade-off they represent.

THE RISK-SAMPLE SLIDER

I believe we need a “non-compliance risk vs. audience sample” slider to understand the manner in which cookie consent management handles risk.

The risk-sample slider for cookie consent management

In case it requires an explanation: As you move to the left you face greater risk. As you move to the right, you are left with a gradually smaller audience sample.

How do you “move” along the slider? By playing with three particular conditions of consent, as per the European Data Protection Board’s Guidelines:

• Granular: consent must be obtained for every purpose (behind the collection and processing of personal data)
• Unambiguous: pre-ticked boxes will not do. Only a clear choice will result in true consent
• Informed: certain pieces of information must be made available on the first layer.

(I am taking for granted a fourth condition, as this is rarely missed: consent for personal data processing must be unbundled from more generic terms and conditions.)

THE TOUR

Having a basic framework makes it much easier to go out there and start ranking the many examples now available to us (one mere weekend into the GDPR).

I have picked a few for no particular reason, some of them using the same piece of technology (as in Consent Management Tool or CMT) for very different levels of compliance, thereby illustrating that this is not about the particular technology, but rather about the choices we make.

Low risk, small sample

The following examples seem to meet all three conditions to a varying degree, and I will not get into pondering these conditions against each other at this point. I also appreciate, that a simple, clean, UI will normally trump complexity and saturation.

AdWeek: layer 1: basic information, mostly unambiguous consent.

AdWeek, layer 2: purpose-specific selection.

TrustArc: own medicine, applied.

High risk, larger sample

Quite paradoxical that two technology providers (SAP, Oracle) that will often talk about Privacy by Design and “all-around” GDPR compliance have opted for the higher risk option. I do not see how the following can survive the most optimistic scrutiny, but self-assessment is the name of the game and they will surely have their reasons.

Oracle, layer 1: unambiguous? informed?

SAP layer one: nothing to add.

WHEN OTHERS CALIBRATE RISK ON YOUR BEHALF

Despite what I have just said about self-assessment and an general principle of (self) accountability, there will be many instances where it is not entirely up to you to decide where you want to be on the Risk-Sample Size slider.

The simple reason for this is intermediation. For all the platforms/technologies/parties participating in the (pseudonymized) personal data’s chain of custody, only those with direct access to individuals are in a position to gather their consent. This pretty much discards everyone except publishers, advertisers, and aggregators (Google/Facebook).

Consumer touchpoints become consent gathering checkpoints.

As a result, those who find themselves in the dark (with regards to costumer touchpoints) are obliged to either act under the instructions of a “data controller” (which makes them “data processors”), or request that other independent controllers obtain consent on their behalf.

Certain Google services (AdWords, DoubleClick, AdMob) provide a great illustration of this latter scenario. Whenever such services are offered under a “co-controller” (or independent controller) relationship**, advertisers and publishers are contractually obliged to gather consent on Google’s behalf. This is not something that publishers have found easily palatable, and the revolt of certain associations against it — and demanding that Google adopts a data processor role — has been well documented.

Although I strongly believe that Google had no alternative (other than deceiving everyone, as it is clear that their b2b customers have little to say in the manner in which Google employs the data obtained from multiple properties in order to provide the very unique value that all of them are expecting of the platform in the first place), I understand the temptation to demand that Google acts as it already does for other services (e.g., Google Analytics): as a “dummy tool” limited to following a set of instructions.

Other vendors out there are resorting to the same solution and, again, I think they are right to do so.

In any case, my entire point here is the manner in which these contracts are influencing the specific ingredients of consent (again: granular, informed, unambiguous). Google claims to be following the WP29 (now EDPB) Guidelines on Consent when requesting that publishers and advertisers deploy something along these lines if they want to use their products:

The message on the right will be shown to those answering “no”.

Not only are Google recommending specific technologies to accomplish that result, they are even providing their own consent management tool (still in beta), through their Funding Choices program.

HOW ABOUT NO POP-UP AT ALL?

I have discussed this many times in greater detail. Why is Apple.com not showing any banner or pop-up whatsoever? Just have a look at the cookies they are serving. They stick to analytics cookies that seem (from the very far distance) to respect the conditions that would make them qualify under the analytics “waiver” and, eventually, an exception provided by the draft ePrivacy Regulation (which, as said, will replace the ePrivacy Directive in a few months).

Apple.com (as seen by EU customers) through the eyes of the Ghostery plug-in.

Of course, try selling those limitations to your marketing department in this day and age, with many a digital marketer betting her career on the attainment of multi-touch attribution.

Would it not be great to avoid UI friction altogether and yet have access to some sort of people-based marketing, or people-based analytics? Bearing in mind that the days of stealth data collection are over, such scenario would require direct end user involvement.

THE JOURNEY TO SELF-MEASUREMENT

It seems obvious to me that we will at some point get tired of asking individuals for each and every single data point (alienating them in the process) for the sole purpose of building an incomplete repository that has not proven of much value so far. If we want to do people-based marketing we have to let people measure themselves, then provide them with a good enough reason to share whatever we need from them, whenever we need it.

The personal data collection journey. People keep piling data about themselves. Brands keep storing a few scattered data points from an ever-smaller sample… until we rethink the entire flow in the benefit of both.

The future looks certainly bright for certain types of brand-managed solutions for the collection and storage of customer/audience data. But it they are to guarantee accuracy and privacy compliance, they may need to contemplate a major change in the manner in which data is collected, integrated, and activated.

Putting customers at the center through self-measurement and data ownership seems like a good start.

*THE GROUNDS

As an express recap, cookie banners were born out of a very lenient interpretation of the EU ePrivacy Directive (as amended in 2009). Its article 5.3 required consent prior to using cookies (and similar device-tracking mechanisms) in the absence of certain exemptions.

Most crucially, such article 5.3 delegated the definition of consent to another Directive which the GDPR has just come to replace. If, under the former, the mere act of browsing ended up constituting permission, article 4.11 of the latter (and its official guidance) makes it clear that consent will only be valid if it happens prior to the fact, and it meets the various conditions already discussed.

** CO-CONTROLLERS ARE NOT JOINT CONTROLLERS

In case there are still questions on this one: whereas joint controllers (article 26 GDPR) do get to agree on the manner in which they will jointly process personal data, assign responsibilities to each other, and jointly manage whatever issues arise as a result of the processing, co-controllers are truly independent from each other. They just happen to be passing data from one party to another one, but each of them has its own separate agenda, purposes, and plans. They have no intention to expose their inner works to the other party, and one of them may very well need to deal with third parties at scale (which is the case with Google).

Here’s a simple chart illustrating four alternative options (and there is room for more).

Different permutations of decision-making in the chain of custody.